PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-5575 Metalgenix CVE debrief

CVE-2017-5575 is a critical SQL injection issue in GeniXCMS that can let a remote attacker submit crafted input through the modules parameter and execute arbitrary SQL. The CVE was published on 2017-01-23. The supplied corpus ties remediation to GeniXCMS v1.0.0, and NVD’s CPE data also marks versions up to 0.0.8 as vulnerable. Because the corpus includes both a descriptive range (“before 1.0.0”) and a narrower CPE range, defenders should validate the exact deployed version against the vendor fix and treat older GeniXCMS deployments as at risk until confirmed patched.

Vendor
Metalgenix
Product
CVE-2017-5575
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-23
Original CVE updated
2026-05-13
Advisory published
2017-01-23
Advisory updated
2026-05-13

Who should care

Administrators, developers, and security teams responsible for GeniXCMS deployments, especially any internet-facing instances running versions released before the v1.0.0 fix.

Technical summary

The vulnerability is classified as CWE-89 (SQL Injection) and has a CVSS 3.0 vector of CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating unauthenticated network exploitation with high confidentiality, integrity, and availability impact. The issue is described as being reachable via the modules parameter in inc/lib/Options.class.php. The supplied references point to a GitHub issue and the v1.0.0 release as the patch location.

Defensive priority

Critical. The attack surface is remote, unauthenticated, and the impact is severe. Prioritize patching or removing exposed GeniXCMS instances, then validate that the deployed build includes the v1.0.0 fix or equivalent.

Recommended defensive actions

  • Upgrade GeniXCMS to a version that includes the v1.0.0 fix referenced in the supplied corpus.
  • If immediate upgrade is not possible, remove public exposure of the application or place it behind strict access controls until patched.
  • Inventory all GeniXCMS deployments and confirm the exact installed version, since the corpus contains both a 'before 1.0.0' description and an NVD CPE range ending at 0.0.8.
  • Review application logs and database activity for signs of unexpected SQL errors or anomalous requests involving the modules parameter.
  • Apply standard SQL-injection hardening measures in the application and environment, including input validation and least-privilege database credentials.

Evidence notes

Primary evidence comes from the official NVD record and the CVE record. The NVD metadata identifies CWE-89 and a CVSS 3.0 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The CVE description states the flaw is in inc/lib/Options.class.php and can be triggered through the modules parameter. The supplied references include a GitHub issue (#68) and the GeniXCMS v1.0.0 release, which are the only patch-related links provided. Note that the corpus contains an attribution inconsistency: the vendor field is normalized to Metalgenix in the NVD CPE data, while the vulnerability description and references clearly refer to GeniXCMS.

Official resources

Publicly disclosed on 2017-01-23. No KEV entry is listed in the supplied corpus, and the record remains marked as modified on 2026-05-13 in the source database metadata.